1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting web threat infection chains.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, malicious codes are also collectively referred to herein as “viruses.” Malicious codes have become so prevalent that experienced computer users have some form of antivirus in their computers. Antivirus for scanning data for malicious codes is commercially available from several vendors, including Trend Micro, Inc.
Web threats refer to malicious activities perpetrated over the Internet. A web threat may involve delivery of a virus by way of a malicious website. The malicious website may be a compromised legitimate website (e.g., infected or hijacked) or a website specifically configured for malicious purposes. A web threat may also involve a phishing site configured to imitate a legitimate website to fraudulently obtain confidential information from a user. A web threat may be triggered a variety of ways including by navigating to a malicious website, activating a link to a malicious website, and executing an executable file attachment of an email, to name a few examples.
The traditional approach to combating web threats involves compiling the addresses of known malicious websites, such as their DNS (Domain Name System) domain names and IP addresses, in a web reputation database. A web threat filtering service may consult the web reputation database to determine if a given IP address is that of a malicious website. Unfortunately, the inventors believe that emergence of more sophisticated web threats renders this traditional approach relatively ineffective.